Chat now with support
Chat with Support

Active Administrator 8.4 - User Guide

Active Administrator Overview Certificates Security & Delegation Azure Active Directory  Active Directory Health
Switching to Active Directory Health Using the Active Directory Health landing page Installing Active Directory Health Analyzer agents Using the Active Directory Health Analyzer agent configuration utility Excluding domain controllers Managing the Remediation Library Analyzing Active Directory health Analyzing Azure Active Directory Managing Active Directory Health Analyzer alerts Managing alert notifications Pushing alerts to System Center Operations Manager and SNMP managers Managing monitored domain controllers Managing data collectors Active Directory Health Templates Managing Active Directory Health Analyzer agents Using the Troubleshooter Recovering Active Directory Health data
Auditing & Alerting Group Policy Active Directory Recovery Active Directory Infrastructure DC Management DNS Management Configuration
Using the Configuration landing page Managing tasks Defining role-based access Setting email server options Configuring SCOM and SNMP Settings Configuring Azure Active Directory Setting notification options Setting Active Template options Setting agent installation options Setting recovery options Setting GPO history options Setting certificate configuration Setting service monitoring policy Managing archive databases Migrating data to another database Setting a preferred domain controller Setting up workstation logon auditing Managing configuration settings Setting user options Managing the Active Directory server
Diagnostic Console Alerts Appendix
Domain controller alerts
Active Directory Certificate Services service is not running Active Directory Domain Services is not running Active Directory Web Services service is not running Consecutive replication failures DC cache hits DC DIT disk space DC DIT log file disk space DC LDAP load DC LDAP response too slow DC Memory Usage DC properties dropped DC RID pool low DC SMB connections DC SYSVOL disk space DC time sync lost Detected NO_CLIENT_SITE record DFS Replication service not running DFS service is not running DFSR conflict area disk space DFSR conflict files generated DFSRS CPU load DFSR RDC not enabled DFSR sharing violation DFSR staged file age DFSR staging area disk space DFSR USN records accepted DFSRS unresponsive DFSRS virtual memory DFSRS working set DNS Client Service is not running Domain controller CPU load Domain controller page faults Domain controller unresponsive File Replication Service is not running File replication (NTFRS) staging space free in kilobytes GC response too slow Group policy object inconsistent Hard disk drive Intersite Messaging Service is not running Invalid primary DNS domain controller address Invalid secondary DNS domain controller address KDC service is not running LSASS CPU load LSASS virtual memory LSASS working set Missing SRV DNS record for either the primary or secondary DNS server NETLOGON not shared NetLogon service is not running Orphaned group policy objects exist Review the reported orphaned GPO folders in the local SYSVOL and remove any that are obsolete. Physical memory Power supply Primary DNS resolver is not responding Secondary DNS resolver is not responding Security Accounts Manager Service is not running SRV record is not registered in DNS SYSVOL not shared W32Time service is not running Workstation Service is not running
Domain alerts Site alerts Forest alerts Azure Active Directory Connect alerts
Event Definitions PowerShell cmdlets

Windows Services alerts

 
Table 147. Windows® Services alerts
Alert
Description

Azure Active Directory Connect Sync service status

Azure Active Directory Sync service is in a stopped state.

Azure Active Directory Connect Health Sync Insights service status

Azure Active Directory Connect Health Sync Insights is in a stopped state.

Azure Active Directory Connect Health Sync service

Azure Active Directory Connect Health Sync service is in a stopped state.

Connectivity alerts

 
Table 148. Connectivity alerts
Alert
Description

Azure Active Directory connectivity

Azure Active Directory connectivity test failed.

Azure Active Directory database connectivity

Connectivity to the Azure Active Directory Connect database was lost.

Event ID alerts

 
Table 149. Event ID alerts
Alert
Description

Event ID 106

Failed to connect to Azure Active Directory during the Export step.

Event ID 109

Failed to connect to Azure Active Directory during the Import step.

Event ID 6801

Error occurred communicating with Azure Active Directory.

Event ID 6803

Generic - the Export step encountered one or more errors.

Event ID 6941

Export encountered one of the following errors: DataValidatinFailed, InvalidSoftMatch, or AttributeValueMustBeUnique. The 6941 error will be logged for each error.

Event ID 6001

Run profile failed because a connection could not be established to the server.

Event ID 611

Password Synchronization Full Sync has failed.

Event ID 6012

Full Import failed - no objects were returned from the operation.

Event ID 6100

Run profile step completed with errors. The event is logged as a warning. Additional information will be returned.

Event ID 6105

The “Exported Change not Reimported” error was returned during an Import run profile operation.

Event ID 6610, 6126, and 6127

The configuration has changed since the last run profile of this type (Import or Sync). A full import or sync was not performed.

 

Event Definitions

Event definitions are used to create alerts and reports. The event definitions file, EventDefinitions.edx, is located in the Active Administrator\Server folder. Occasionally new event definition files are made available. You can import these new event definitions into your auditing database. See Managing event definitions.

 
Table 150. Event Definitions
Event
Type

Active Administrator AFS Service Started

Active Administrator

Active Administrator AFS Service Stopped

Active Administrator

Active Administrator Alert Added

Active Administrator

Active Administrator Alert Deleted

Active Administrator

Active Administrator Alert Updated

Active Administrator

Active Administrator Audit Agent Activated

Active Administrator

Active Administrator Audit Agent Configuration Changed

Active Administrator

Active Administrator Audit Agent Installation Failed

Active Administrator

Active Administrator Audit Agent Installation Succeeded

Active Administrator

Active Administrator Audit Agent Moved

Active Administrator

Active Administrator Audit Agent Uninstalled

Active Administrator

Active Administrator Delegation Added

Active Administrator

Active Administrator Delegation Broken

Active Administrator

Active Administrator Delegation Removed

Active Administrator

Active Administrator Delegation Repaired

Active Administrator

Active Administrator Delegation Updated

Active Administrator

Active Administrator DNS Test Failed

Active Administrator

Active Administrator DNS Test Succeeded

Active Administrator

Active Administrator Domain Controller Excluded

Active Administrator

Active Administrator Event Definition Disabled

Active Administrator

Active Administrator Event Definition Enabled

Active Administrator

Active Administrator Event Purge History Cleared

Active Administrator

Active Administrator Event Purged / Archived

Active Administrator

Active Administrator Global Alert Quiet Time Added

Active Administrator

Active Administrator Global Alert Quiet Time Changed

Active Administrator

Active Administrator Global Alert Quiet Time Removed

Active Administrator

Active Administrator GPO History Backups Purged

Active Administrator

Active Administrator GPO Rollback Completed

Active Administrator

Active Administrator GPO Rollback Failed

Active Administrator

Active Administrator GPO Rollback Started

Active Administrator

Active Administrator Group Policy Object Added to the Repository

Active Administrator

Active Administrator Group Policy Object Checked Into the Repository

Active Administrator

Active Administrator Group Policy Object Checked Out of the Repository

Active Administrator

Active Administrator Group Policy Object Published to Active Directory

Active Administrator

Active Administrator Group Policy Object Removed from the Repository

Active Administrator

Active Administrator Group Policy Object Restored

Active Administrator

Active Administrator new Domain Controller Discovered

Active Administrator

Active Administrator Trustee Added

Active Administrator

Active Administrator Trustee Removed

Active Administrator

Active Directory Backup Completed

Active Administrator

Active Directory Backup Failed

Active Administrator

Active Directory Backup Purge History Cleared

Active Administrator

Active Directory Backup Started

Active Administrator

Active Directory Backups Purged

Active Administrator

Active Directory Replication Test Failed

Active Administrator

Active Directory Replication Test Succeeded

Active Administrator

Active Directory Restore Completed

Active Administrator

Active Directory Restore Failed

Active Administrator

Active Directory Restore Started

Active Administrator

Active Directory Shared Folder Changed

Shared Folder

Active Directory Shared Folder Created

Shared Folder

Active Directory Shared Folder Deleted

Shared Folder

AD Object Changed

General

AD Object Created

General

AD Object Renamed / Moved

General

Audit Agent Database Connectivity Lost

Active Administrator

Audit Agent Database Connectivity Restored

Active Administrator

Azure AD Group Added

Azure AD

Azure AD Group Deleted

Azure AD

Azure AD Group Updated

Azure AD

Azure AD User Added

Azure AD

Azure AD User Deleted

Azure AD

Azure AD User Updated

Azure AD

Certificate Added to Repository

Active Administrator

Computer Account Changed

Computer

Computer Account Created

Computer

Computer Account Deleted

Computer

Contact Changed

Contact

Contact Created

Contact

Contact Deleted

Contact

Domain Master Changed

FSMO

Domain Trust Created (Windows 2000 only)

Trust

Event Log Cleared

Security

Global Distribution Group Changed

Group

Global Distribution Group Created

Group

Global Distribution Group Deleted

Group

Global Group Changed

Group

Global Group Created

Group

Global Group Deleted

Group

GPO Changed

Group Policy

GPO Created

Group Policy

GPO Deleted

Group Policy

GPO Password Complexity Disabled

NOTE: The added alert will not state the name of the changed GPO; there is an action description only.

Group Policy

GPO Password Complexity Enabled

NOTE: The added alert will not state the name of the changed GPO; there is an action description only.

Group Policy

GPO Security Group Filters Changed

Group Policy

Group Policy Links Changed

Group Policy

Group Type Changed

Group

Infrastructure Master Changed

FSMO

Kerberos authentication ticket (TGT) was requested

User

Kerberos Pre-Auth Failed (Bad Password)

User

Local Distribution Group Changed

Group

Local Distribution Group Created

Group

Local Distribution Group Deleted

Group

Local Group Changed

Group

Local Group Created

Group

Local Group Deleted

Group

Logged onto DC (Local)

User

Logged onto DC (Remote)

User

Logon Failed (Bad Password)

User

Logon Failed (NTLM - Bad Password)

User

Logon Failed (NTLM - Unknown Username)

User

Logon Failed (Unknown Username)

User

Member Added to BUILTIN Group

Group Membership

Member Added to Global Distribution Group

Group Membership

Member Added to Global Group

Group Membership

Member Added to Local Distribution Group

Group Membership

Member Added to Local Group

Group Membership

Member Added to Universal Distribution Group

Group Membership

Member Added to Universal Group

Group Membership

Member Removed from BUILTIN Group

Group Membership

Member Removed from Global Distribution Group

Group Membership

Member Removed from Global Group

Group Membership

Member Removed from Local Distribution Group

Group Membership

Member Removed from Local Group

Group Membership

Member Removed from Universal Distribution Group

Group Membership

Member Removed from Universal Group

Group Membership

Object Owner Changed

Security

Object Permissions Changed

Security

One Way Incoming Trust Created

Trust

One Way Outgoing Trust Created

Trust

OU Changed

Organizational Unit

OU Created

Organizational Unit

OU Deleted

Organizational Unit

PDC Master Changed

FSMO

Printer Changed

Printer

Printer Created

Printer

Printer Deleted

Printer

Rejected Simple LDAP Bind Requests

LDAP Signing

Repository Certificate Delete

Active Administrator

Repository Certificate Updated

Active Administrator

RID Master Changed

FSMO

Schema Master Changed

FSMO

Site Changed

Site

Site Created

Site

Site Deleted

Site

SMTP Virtual Directory Changed

Exchange Server

Subnet Changed

Subnet

Subnet Created

Subnet

Subnet Deleted

Subnet

System Audit Policy Was Changed

Group Policy

System Time was Changed

System

Trust Deleted

Trust

Trust Modified

Trust

Two Way Trust Created

Trust

Universal Distribution Group Changed

Group

Universal Distribution Group Created

Group

Universal Distribution Group Deleted

Group

Universal Group Changed

Group

Universal Group Created

Group

Universal Group Deleted

Group

Unsigned LDAP Client Details

LDAP Signing

User Account Changed

User

User Account Created

User

User Account Deleted

User

User Account Disabled

User

User Account Enabled

User

User Account Locked Out

User

User Account Type Changed

User

User Account Unlocked

User

User Attribute Changed

User

User Change Password Attempt Failed

User

User Change Password Attempt Succeeded

User

User Locked Workstation

Workstation

User Logoff

Workstation

User Logon (Interactive for Windows 2012 Server)

Workstation

User Logon (Interactive for Windows 2016 Server)

Workstation

User Logon (Interactive)

Workstation

User Logon (Remote Desktop)

Workstation

User Password Reset

User

User Unlocked Workstation

Workstation

Windows Shutdown

System

Windows Started

System

 

Related Documents